Cyber security and ISPs

06th September 2016

Better law enforcement training and coordination of cyber security and support for a Government-backed awareness campaign are among findings of an ISP cyber security survey carried out by the Internet Services Providers’ Association (ISPA). The trade body surveyed its members across a range of cyber security areas, including where it sits in their business, the nature and impact of cyber-attacks, the tech used to safeguard networks and the role of end users, Government and law enforcement.

The survey findings demonstrate ISPA says that cyber security is a rising priority, with senior responsibility within the company as ISPs and customers are subject to regular attacks. ISPA says Government and law enforcement should prioritise awareness raising and education, and improve how they deal with reports and coordination of cyber security.

Launching the report and recommendations, ISPA Chair James Blessing said: “Cyber-security is critical, and this survey shows how it has become an even bigger issue for ISPs. The survey also reveals that industry believes Government and law enforcement need to raise their game in tackling cyber crime and need to have a clear plan on how they will be tackling offenders and raising awareness among users. The survey further shows a real belief among ISPA members in a partnership approach with different stakeholders playing their part. This means government, law enforcement, internet companies, individual users, ISPs and businesses all working together to protect networks, follow good cyber hygiene, mitigate threats and bring offenders to justice.”

With over 90 per cent of ISPs coming under some form of attack, over three quarters of respondents planned to spend more on cyber-security. Responsibility for cyber-security lies with the top layer of management for 93 per cent of respondents and over three quarters said it had become an even more important priority in the last five years. Cyber is good for business too, with 75 per cent saying they had been asked about cyber security by potential customers. ISPs are concerned that intrusive powers in the Investigatory Powers Bill will compromise security, and that better enforcement and more prosecutions were more effective than new regulation.

ISP role

Most, 85 per cent of those surveyed said ISPs should take a proactive role in cyber security, with 92 per cent offering free tools and assistance for customers and 100 per cent either have reported or would report breaches, and more than two-thirds sharing information with industry colleagues.

Government and law enforcement

Law enforcement needs to improve how it handles cyber-crime with a wide gap in reports actually leading to successful investigations. Of the 83 per cent of respondents who reported cyber-crime to the police, only 20 per cent felt reports were consistently followed up and 30 per cent said reports received no response at all. When asked how cyber-crime could be better handled, ISPs said the police needed more funding and better training, better threat information sharing and a new education and public information campaign for end users.

Findings

The results from the ISPA members that were surveyed reveal 10 key findings:

1. Cyber-security is an increasing priority for 79 per cent of ISPs surveyed, 77 per cent said spending is increasing and MDs or C-Suite executives are accountable for cyber-attacks;
2. 92 per cent are subject to cyber-attacks on a daily (31 per cent), weekly (23 per cent) or monthly (38 per cent) basis;
3. ISPs provide a wide variety of tools and services to protect networks and tools to end users;
4. 85 per cent of those surveyed said ISPs should have a proactive role to play in maintaining customer protection and mitigation;
5. ISPs take a proactive approach, with 84 per cent of those surveyed having reported incidents and breaches and 92 per cent provide advice and tools;
6. ISPs want Government to focus on awareness raising (64 per cent) rather than creating new regulations (18 per cent) to meet the challenges of cyber security;
7. Law enforcement should prioritise better training (83 per cent) and coordination with industry (83 per cent), as well as increase funding (58) and prosecutions (50 per cent)
8. 91 per cent are concerned about Government surveillance measures impacting on network security;
9. There is inconsistency with how law enforcement deals with ISP incident reporting; and
10. While a large number of public bodies are in contact with ISPs, a third receive little or no contact.

Recommendations

In response to the survey, ISPA has made the following recommendations:

1. Government should focus be on education, awareness and work collaboration with industry rather than resorting to legislation;
2. Government must consider the damage surveillance legislation can have on network security, such as the intrusive hacking powers within the Investigatory Powers Bill;
3. Law enforcement should prioritise better training of officers and coordination of cyber security;
4. There needs to be more consistency when an ISP reports a case to law enforcement so that all reports are followed up and investigated to bring criminals to justice; and
5. Authorities must do more to reach out to the full breadth of the ISP industry, engaging them in information sharing work and consultation.